Invoices exposed on NGINX
-
Hi,
You should put a warning in your description for NGINX users, better even to add a warning when the plugin is activated on NGINX servers.
There now is only a .htaccess file that prevents access directly to the uploaded path: /uploads/wpo_wcpdf/attachments/
With a bit of effort if you have identified a server using your plugin, it is fairly easy to scrape all the invoices, since file names are just ‘invoice-ID.pdf’…
Viewing 2 replies - 1 through 2 (of 2 total)
-
Hello @peppol
I tend to agree with you that we should add a warning/notice for that, and if possible, a vhost setting too.
We will discuss this internally and i will let you know our decision.
Hope that helps!
Viewing 2 replies - 1 through 2 (of 2 total)
- The topic ‘Invoices exposed on NGINX’ is closed to new replies.
